[PATCH 0/2] MR8272: kerberos: EncryptMessage() should fail if context doesn't support confidentiality.
From: Dmitry Timoshkov dmitry@baikal.ru
Manual testing shows that EncryptMessage() returns SEC_E_UNSUPPORTED_FUNCTION in that case.
Signed-off-by: Dmitry Timoshkov dmitry@baikal.ru --- dlls/kerberos/unixlib.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/dlls/kerberos/unixlib.c b/dlls/kerberos/unixlib.c index 51580458811..979e9e8c622 100644 --- a/dlls/kerberos/unixlib.c +++ b/dlls/kerberos/unixlib.c @@ -459,11 +459,17 @@ fail: return FALSE; }
-static BOOL is_dce_style_context( gss_ctx_id_t ctx ) +static OM_uint32 get_context_flags( gss_ctx_id_t ctx ) { OM_uint32 ret, minor_status, flags; ret = pgss_inquire_context( &minor_status, ctx, NULL, NULL, NULL, NULL, &flags, NULL, NULL ); - return (ret == GSS_S_COMPLETE && (flags & GSS_C_DCE_STYLE)); + return ret == GSS_S_COMPLETE ? flags : 0; +} + +static BOOL is_dce_style_context( gss_ctx_id_t ctx ) +{ + OM_uint32 flags = get_context_flags( ctx ); + return flags & GSS_C_DCE_STYLE; }
static NTSTATUS status_gss_to_sspi( OM_uint32 status ) @@ -971,8 +977,11 @@ static NTSTATUS seal_message( void *args ) { struct seal_message_params *params = args; gss_ctx_id_t ctx = ctxhandle_sspi_to_gss( params->context ); + OM_uint32 flags = get_context_flags( ctx ); + + if (!(flags & GSS_C_CONF_FLAG)) return SEC_E_UNSUPPORTED_FUNCTION;
- if (is_dce_style_context( ctx )) return seal_message_vector( ctx, params ); + if (flags & GSS_C_DCE_STYLE) return seal_message_vector( ctx, params ); return seal_message_no_vector( ctx, params ); }
From: Dmitry Timoshkov dmitry@baikal.ru
Manual testing shows that InitializeSecurityContext(ISC_REQ_CONFIDENTIALITY) returns ISC_RET_INTEGRITY in attributes, but not the other way around.
Signed-off-by: Dmitry Timoshkov dmitry@baikal.ru --- dlls/kerberos/unixlib.c | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/dlls/kerberos/unixlib.c b/dlls/kerberos/unixlib.c index 979e9e8c622..478ad0d4bbb 100644 --- a/dlls/kerberos/unixlib.c +++ b/dlls/kerberos/unixlib.c @@ -757,6 +757,8 @@ static NTSTATUS initialize_context( void *args )
if (params->target_name && (status = import_name( params->target_name, &target ))) return status;
+ if (req_flags & GSS_C_CONF_FLAG) req_flags |= GSS_C_INTEG_FLAG; + ret = pgss_init_sec_context( &minor_status, cred_handle, &ctx_handle, target, GSS_C_NO_OID, req_flags, 0, GSS_C_NO_CHANNEL_BINDINGS, &input_token, NULL, &output_token, &ret_flags, &expiry_time );
Hans Leidekker (@hans) commented about dlls/kerberos/unixlib.c:
{ struct seal_message_params *params = args; gss_ctx_id_t ctx = ctxhandle_sspi_to_gss( params->context );
- OM_uint32 flags = get_context_flags( ctx );
- if (!(flags & GSS_C_CONF_FLAG)) return SEC_E_UNSUPPORTED_FUNCTION;
I guess this should depend on SECQOP_WRAP_NO_ENCRYPT/KERB_WRAP_NO_ENCRYPT.
On Wed Jun 11 08:32:54 2025 +0000, Hans Leidekker wrote:
I guess this should depend on SECQOP_WRAP_NO_ENCRYPT/KERB_WRAP_NO_ENCRYPT.
You are correct, EncryptMessage(SECQOP_WRAP_NO_ENCRYPT) succeeds in that case.
-
Dmitry Timoshkov -
Dmitry Timoshkov (@dmitry)
-
Hans Leidekker (@hans)